Millions of New Android Phones Sold With Preinstalled Malware

Maddie Stone, a security researcher on Google’s Project Zero and a former tech lead on the Android Security team, flagged preinstalled malware on millions of new Android smartphones as a hidden threat that requires more attention.

Stone shared her team’s findings at the Black Hat USA 2019 conference in Las Vegas, in a presentation in which she said that a smartphone may have as many as 400 preinstalled apps out of the box. This is a major problem because attackers are attempting to hide malware in the preinstalled apps, as it is easier to convince one manufacturer to agree to a preloaded app than to convince thousands of users to download an infected file.

“If malware or security issues come as preinstalled apps,” Stone warned, “then the damage it can do is greater, and that’s why we need so much reviewing, auditing, and analysis.”

The risk affects the Android Open Source Project, which is a lower-cost alternative to the full version of Google’s mobile operating system. AOSP is installed in cheaper smartphones to keep the price tag down, but unsuspecting customers are in danger of purchasing devices that come with preinstalled malware.

While this means that Android smartphones released by Google and partners such as Samsung are generally safe from the risk, Google’s Project Zero discovered more than 200 manufacturers who have launched devices with hidden malware. One particular malware of concern is Chamois, which upon infecting a device, generates ad fraud, installs background apps, downloads plugins and even send text messages at premium rates. In March 2018, Stone’s team found Chamois preinstalled in 7.4 million Android devices.

Google’s Project Zero has been working with device manufacturers to address the issue, and that has helped reduce the number of smartphones preinstalled with Chamois to only 700,000 between March 2018 and March 2019. Stone, meanwhile, called for security researchers to place a bigger focus on preinstalled malware as a security threat, as the attention is often directed towards malware that people are tricked into downloading themselves. Then again, even Android antivirus apps have shown to provide inadequate malware protection, according to a study from earlier this year.

Stone’s Black Hat presentation follows a study from June that claimed 43% of Android apps were found to have vulnerabilities, while 38% of iOS apps had the same issue.

Categories

we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on RSS ,Facebook or Twitter for the latest updates. DigitalMunition is designed to help Auditors, Pentesters & Security Experts to keep their ethical hacking oriented toolbox up-to-date .
This website is made for educational and ethical testing purposes only。It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this website.